setfacl – Setting file Access Control Lists (ACLs)

According to Wikipedia ACLs:

“…is a list of permissions attached to an object.”

“An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.”

meaning that ACL is an “alternative” to the traditional unix permission system. Now, to the CLI!

Setfacl help provides:

setfacl --help
setfacl 2.2.53 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
-m, --modify=acl modify the current ACL(s) of file(s)
-M, --modify-file=file read ACL entries to modify from file
-x, --remove=acl remove entries from the ACL(s) of file(s)
-X, --remove-file=file read ACL entries to remove from file
-b, --remove-all remove all extended ACL entries
-k, --remove-default remove the default ACL
--set=acl set the ACL of file(s), replacing the current ACL
--set-file=file read ACL entries to set from file
--mask do recalculate the effective rights mask
-n, --no-mask don't recalculate the effective rights mask
-d, --default operations apply to the default ACL
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
--restore=file restore ACLs (inverse of `getfacl -R')
--test test mode (ACLs are not modified)
-v, --version print version and exit
-h, --help this help text

In order to check the current ACL status of a given file, one can use getfacl:

touch foobar

getfacl foobar
# file: foobar
# owner: rozanski
# group: rozanski
user::rw-
group::rw-
other::r--

where:

r = read

w= write

x = execute

A few examples on how to try setfacl command:

Let’s add libvirt group to foobar:

setfacl -m g:libvirt:rw- foobar

getfacl foobar
# file: foobar
# owner: rozanski
# group: rozanski
user::rw-
group::rw-
group:libvirt:rw-
mask::rw-
other::r--

we can see a new line: group:libvirt:rw-

Now, let’s remove libvirt group from foobar:

setfacl -x g:libvirt foobar

getfacl foobar
# file: foobar
# owner: rozanski
# group: rozanski
user::rw-
group::rw-
mask::rw-
other::r--

Lets change r– permissions for “other” to rw-:

setfacl -m o:rw- foobar

getfacl foobar
# file: foobar
# owner: rozanski
# group: rozanski
user::rw-
group::rw-
mask::rw-
other::rw-

before other::r– is now other::rw-

Let’s make it executable for the user:

setfacl -m u::rwx foobar

getfacl foobar
# file: foobar
# owner: rozanski
# group: rozanski
user::rwx
group::rw-
mask::rw-
other::rw-

user::rw- is now user::rwx

A nice thing about setfacl is that you can set owner/group at the same time of user/group/other  rwx values.

References

setfacl(1) – Linux man page – https://linux.die.net/man/1/setfacl

Access-control list – https://en.wikipedia.org/wiki/Access-control_list

File system permissions – https://en.wikipedia.org/wiki/File_system_permissions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s